How is CVE-2026-46860 exploited?

Network reachability (required): The attacker must be able to reach the MySQL Router HTTP interface over the network; no physical or local access is required. Authentication (not-required): No credentials of any privilege level are needed; the vulnerability is exploitable by a completely unauthenticated attacker. Victim interaction (not-required): Exploitation is fully attacker-driven and requires no action from any user or administrator on the target system. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and imposes no special preconditions such as race conditions or specific memory layout requirements.

What is the impact of CVE-2026-46860?

A successful attacker gains full read access to all data handled by MySQL Router, including proxied credentials, query content, and connection metadata. The attacker can modify or inject data in transit between clients and backend MySQL instances, corrupting or tampering with persisted database rows. The attacker can crash or take over the MySQL Router process, denying database connectivity to all applications routed through it. Because Router sits in the path of all backend database traffic, a takeover can serve as a pivot point for lateral movement toward upstream MySQL servers.

Back to search

CRITICALCVE-2026-46860Published 2026-06-16Modified 2026-06-16CNA oracle

CVE-2026-46860: Vulnerability in the MySQL Router product of Oracle MySQL (component: Router: General)

Vulnerability in the MySQL Router product of Oracle MySQL (component: Router: General). Supported versions that are affected are 9.0.0-9.7.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise MySQL Router. Successful attacks of this vulnerability can result in takeover of MySQL Router. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A critical unauthenticated remote code execution vulnerability affects MySQL Router versions 9.0.0 through 9.7.0 in the Router General component. An attacker with network access over HTTP requires no credentials and no victim interaction to exploit this flaw. Successful exploitation results in full takeover of the MySQL Router instance, giving the attacker complete control over confidentiality, integrity, and availability. No upstream fix has been published yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available the moment Oracle ships a fix.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle MySQL Router in affected version ranges.

Available

Triage

HarborGuard scores this CVE at 9.8 Critical (CVSS v3.1) and is capable of applying per-environment compliance policy weighting to adjust priority and route the finding to the appropriate team inbox inside each customer organization.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the Oracle advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fixed release appears. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the MySQL Router HTTP interface over the network; no physical or local access is required.
AuthenticationNot required
No credentials of any privilege level are needed; the vulnerability is exploitable by a completely unauthenticated attacker.
Victim interactionNot required
Exploitation is fully attacker-driven and requires no action from any user or administrator on the target system.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and imposes no special preconditions such as race conditions or specific memory layout requirements.

Blast Radius

A successful attacker gains full read access to all data handled by MySQL Router, including proxied credentials, query content, and connection metadata.
The attacker can modify or inject data in transit between clients and backend MySQL instances, corrupting or tampering with persisted database rows.
The attacker can crash or take over the MySQL Router process, denying database connectivity to all applications routed through it.
Because Router sits in the path of all backend database traffic, a takeover can serve as a pivot point for lateral movement toward upstream MySQL servers.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-46860 is active across connected registries and pipelines, matching any image that packages MySQL Router 9.0.0 through 9.7.0. Because Oracle has not yet published a fix, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild the moment a remediated version is released. In the interim, compensating controls worth considering include network-policy isolation that restricts HTTP access to the MySQL Router port to known, authorized source CIDRs only; egress filtering to prevent outbound connections from a compromised Router process; and, where architecture permits, placing Router behind an authenticated reverse proxy to add a credential barrier in front of the exposed HTTP interface. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will trigger automatically once an upstream fix version is available, with no manual steps required.

See how HarborGuard automates this

Affected packages

Oracle Corporation / MySQL Router
≤ 9.7.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Oracle Advisory

Metrics

Get notified